CVSS: 5.3EPSS: 1%CPEs: 3EXPL: 1CVE-2011-2207
https://notcve.org/view.php?id=CVE-2011-2207
27 Nov 2019 — dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate. dirmngr versiones anteriores a la versión 2.1.0, maneja inapropiadamente determinadas llamadas del sistema, lo que permite a atacantes remotos causar una denegación de servicio (DOS) por medio de un certificado especialmente diseñado. • https://access.redhat.com/security/cve/cve-2011-2207 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1CVE-2019-13050 – GnuPG: interaction between the sks-keyserver code and GnuPG allows for a Certificate Spamming Attack which leads to persistent DoS
https://notcve.org/view.php?id=CVE-2019-13050
29 Jun 2019 — Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. La interacción entre el código sks-keyserver hasta versión 1.2.0 de la red SKS keyserver, y GnuPG hasta la versión 2.2.16, hace arriesgado tener una línea de configuración... • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2019-12904
https://notcve.org/view.php?id=CVE-2019-12904
19 Jun 2019 — In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack ** EN DISPUTA ** En Libgcrypt versión 1.8.4, la implementación en C de AES es vulnerable a un ataque de canal lateral de descar... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00049.html • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2018-1000858 – gnupg2: Cross site request forgery in dirmngr resulting in an information disclosure or denial of service
https://notcve.org/view.php?id=CVE-2018-1000858
20 Dec 2018 — GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. GnuPG, de la versión 2.1.12 a la 2.2.11, contiene una vulnerabilidad Cross-Site Req... • https://sektioneins.de/en/advisories/advisory-012018-gnupg-wkd.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.1EPSS: 0%CPEs: 15EXPL: 1CVE-2018-0495 – ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries
https://notcve.org/view.php?id=CVE-2018-0495
13 Jun 2018 — Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. Libgcrypt en versiones anteriores a la 1.7.10 y versiones 1.8.x anteriores... • http://www.securitytracker.com/id/1041144 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 1%CPEs: 20EXPL: 1CVE-2018-12020 – gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
https://notcve.org/view.php?id=CVE-2018-12020
08 Jun 2018 — mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. mainproc.c en GnuPG en versiones anteriores a la 2.2.8 gestiona de manera incorrecta el nombre de archi... • https://packetstorm.news/files/id/152703 • CWE-20: Improper Input Validation CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-9234 – Ubuntu Security Notice USN-3675-1
https://notcve.org/view.php?id=CVE-2018-9234
04 Apr 2018 — GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. GnuPG 2.2.4 y 2.2.5 no aplica una configuración en la que la certificación de claves requiere una clave maestra Certify offline. Esto resulta en que certificados aparentemente válidos ocurran solo con acceso a una subclave de firma. Marcus Brinkmann discovered that during decryption or ve... • https://dev.gnupg.org/T3844 • CWE-320: Key Management Errors •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-6829
https://notcve.org/view.php?id=CVE-2018-6829
07 Feb 2018 — cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. cipher/elgamal.c en Libgcrypt hasta la versión 1.8.2, al emplearse para cifrar mensajes directamente, cifra los textos planos indebid... • https://github.com/weikengchen/attack-on-libgcrypt-elgamal • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2017-0379 – Slackware Security Advisory - libgcrypt Updates
https://notcve.org/view.php?id=CVE-2017-0379
29 Aug 2017 — Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. Libgcrypt en versiones anteriores a la 1.8.1 no considera correctamente ataques de canal lateral Curve25519, lo que facilita que los atacantes descubran una clave secreta relacionada con cipher/ecc.c y mpi/ec.c. Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels... • http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 3%CPEs: 6EXPL: 0CVE-2017-7526 – Slackware Security Advisory - gnupg Updates
https://notcve.org/view.php?id=CVE-2017-7526
03 Jul 2017 — libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. libgcrypt en versiones anteriores a la 1.7.8 es vulnerable a un ataque de canal lateral de memoria caché, resu... • http://www.securityfocus.com/bid/99338 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-310: Cryptographic Issues •